Close HealthCare.gov For Security Reasons, Experts Say

Testifying before the House technology committee, four security experts advise would-be HealthCare.gov users to steer clear of the site, pending security improvements.

9 Android Apps To Improve Security, Privacy

(click image for larger view)

Should the embattled HealthCare.gov website be shut down until the White House proves it's secure?

That was one approach advocated by several security experts, testifying Tuesday during the House Science, Space, and Technology committee's "Is My Data on HealthCare.gov Secure?" hearing.

Ever since the October 1 launch of the federal HealthCare.gov portal, which implements the Affordable Care Act and is used by 36 states, security experts have been warning that the site is vulnerable to a number of different types of attacks. To date, would-be hackers appear to have paid scant attention to the site, but many security experts -- and legislators -- have voiced their concerns over the hack-attack potential for a healthcare portal that handles people's personal information, including social security numbers, income levels, and medical details.

"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure. Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals," said committee chairman Lamar Smith (R-Texas) at the hearing.

"Several vulnerabilities have already been identified, and we know of at least 16 attempts to hack into the system. And I heard this morning that there were another 50," he added. "But we can assume that many more security breaches have not been reported."

David Kennedy, CEO of information security consulting firm TrustedSEC, echoed that assessment, saying there was no way that HealthCare.gov had been targeted only 16 times in the first six weeks after it launched. "What this statement shows is the lack of a formal detection and prevention capability within the website and its infrastructure," said Kennedy. "On average, while working for an international Fortune 1000 company, our main website was attacked over 230 -- averaged [out to] 232 attacks a day for the year of 2012 -- times a day."

Whatever the attack volume, the security experts testifying at the hearing all emphasized the challenge of trying to secure any infrastructure that sports 500 million lines of code, and which was implemented in a rush. "When it comes to security, complexity is not your friend. Indeed it has been said that complexity is the enemy of security," Fred Chang, a former NSA research director who now heads the cybersecurity program at Southern Methodist University in Dallas, told Congress. Likewise, for maximum protection, "ideally, security is built into an application from the very beginning rather than having it 'bolted on' afterwards," he said.

President Obama signs the Affordable Care Act.

Avi Rubin, a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University in Baltimore, questioned the implementation methodology employed for the site, and especially the lack of beta testing with real users. "Most large, consumer-facing web-based rollouts happen in phases," Rubin told the committee. "For example when Google introduces a new service, they initially offer it to a select group of users. As bugs are ironed out and problems are resolved, the new functionality is enabled for more users. It is an iterative process, and there are always issues to resolve."

"One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day," he added. "That is not the way large systems go live in practice."

What should happen next? TrustedSEC's Kennedy outlined three scenarios: fixing the in-production site, shutting the website down entirely until it can be fixed, or using secure coding practices to build a brand-new "version 2.0" HealthCare.gov website in parallel with the current one. He recommended pursuing the last approach. "If design and code quality weren't created from the start, the fixes that we see now will only be small patches for a much larger problem," he said.

But how likely is it that HealthCare.gov might be taken offline, or rebooted any time soon via a version 2.0? In recent days, some Obama administration officials have said they want to have the site up and working for the "vast majority" of Americans by the end of this month.

Furthermore, Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), which is responsible for building HealthCare.gov, said in a separate House hearing Tuesday that the site sported "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid.

"I was not informed directly that the website would not be working the way it was supposed to. Had I been informed, I wouldn't be going out saying, 'Boy, this is going to be great,' " he told reporters. "I'm accused of a lot of things, but I don't think I'm stupid enough to go around saying this is going to be like shopping on Amazon or Travelocity a week before the website opened, if I thought it wasn't going to work."

The president added: "We would not have rolled out something knowing that it wasn't going to work the way it was supposed to, given all the scrutiny we knew would be on the website."

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Who would care to make an argue that it's better to soldier on and fix the system while continuing to operate it? Is there a technical argument for keeping the site live, as opposed to a political one?

It's hard to take as credible the statement by Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), when he says Healthcare.gov sports "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid. The Medicare and Medicaid sites are still going through rigorous reviews and improvements in security controls and they are mature systems. Going live with Heathcare.gov before completing the necessary testing seems like opening a US embassy in Russia while it's still under construction and expecting nothing incideous will happen. The notion of replacing the current system with a new one maybe a hard pill to swallow, but it may be the right decision.

EVERY site -- every Internet-connected device -- is constantly being probed for weaknesses. The only way the ACA site is 100% safe is if it's unplugged, which is exactly what the GOP wants. No matter how much money or expertise you throw at code, no one can promise 100% invulnerability. To imply otherwise is disingenuous.

I'm with Lorna. As you took quote from a Republican politician, who probably needs help from his 9 year old to reboot his computer, this article lost some credibility.

The government has had enough of our information for many years that someone could use for identity theft. Why we are now talking about this because of this new application? If this site is not "safe", then I'm sure the IRS, Medicare, etc are just as vulnerable. And only to the very best and brightest hackers, no script kiddie is cracking these sites. The guys that wrote StuxNet? They can probably get into anything that is usable and connected. That's life today.

As Prof. Rubin states, "One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day. That is not the way large systems go live in practice."

Any Internet company would have started with a website where people signed up to get a notification when the live site was available, and invitations would then be metered out to those people to try it before it went live to any larger group. That kind of slow roll out could have identified scalability problems early and minimized security issues.